Children under the GDPR

The General Data Protection Regulation (“GDPR”), which modernised the laws that protect the personal data of individuals, has now been in force for almost five years.

While people may be aware that they have rights under GDPR, there tends to be less understanding of children’s rights, how these can be exercised, and the role played by those with parental responsibility.

Do children have data protection rights?

Children have the same rights as adults to data protection. This includes, among other things, the right to access their personal data (known as a data subject access request, or “DSAR”).

The question of when a child may exercise these rights for themselves, and when a parent can step in, is perhaps less straightforward. In summary, a child can exercise their data subject rights if they are competent to do so. Competence requires an understanding of their rights and the consequences of exercising those rights.  In Scotland, a child who is 12 or older is generally presumed to be competent. However, this presumption can be displaced; a child under 12 may sufficiently understand their rights, and conversely a child over 12 may not (e.g. due to specific medical needs or learning difficulties).

This presumption does not apply in England & Wales or in Northern Ireland, where competence is based solely on the understanding of the child.

Where a child does not have sufficient competence to exercise their own data subject rights, an adult with parental rights and responsibilities may exercise the child’s rights on their behalf.

Parental responsibilities and rights in Scotland

In Scotland, parents have parental responsibilities and rights in relation to a child. This means that they are responsible for looking after and promoting the child’s health, welfare and development, and providing the child with direction and guidance. They can also act as the child’s legal representative. Parents’ rights and responsibilities must be exercised in a way which is in the best interests of the child. Parents living separately each continue to have parental rights and responsibilities in relation to a child, even if the child only spends time with one of them.

Handling DSARs made by parents

The question that can arise for some data controllers is when they should allow a child’s parents to exercise their child’s data subject rights. For example, what if a parent submits a DSAR to recover their child’s personal data? This can be particularly sensitive in cases where parents have separated and cannot agree on certain aspects of their child’s upbringing.

Step 1: Establish authority to make the DSAR

First, ascertain that the adult who is looking to exercise the child’s rights holds parental rights and responsibilities. This is normally done by obtaining a copy of the child’s birth certificate, or any court order relevant to the parental rights and responsibilities of the child.

The data controller should also ensure that it is satisfied as to the identity of the person making the DSAR, and if in doubt, should request ID documentation, such as a passport and/or proof of address.

Once this has been established, the child’s capacity should inform the next step.

Step 2: Assess the child’s capacity

When a child is too young or immature to exercise their own rights (or other specific issues impede the child’s competence), it is usually appropriate to let a parent exercise their child’s right for them, provided it is evident that this is in the best interests of the child.

If a child is over 12, they are presumed old enough to understand their rights, subject to any evidence to the contrary. In this case, a parent would only be allowed to exercise the child’s rights if the child consents to this and it is considered to be in the best interests of the child. In the absence of the child’s consent, parents should be advised that the child should make the request themselves. However data controllers must remain alert to the possibility of coercion or pressure on a child to make the DSAR.

There may be some borderline cases where a child is close to 12 and, in those circumstances, if they seem mature enough, it may be appropriate to seek their consent, or even to refuse the parent’s request. The nature of the data, and the impact of its disclosure on the child, will be relevant in informing that decision. If in doubt, it is generally sensible to follow the approach that best respects the rights and interests of the child.

Step 3: Respond in writing

A response should normally be provided within one month of the date of the request. If the data controller has determined that it will engage with the parent on the DSAR, it should provide the information requested, subject to any applicable exemptions or redactions. The response should also include certain supplementary information, including the data controller’s reasons for holding the data and an explanation of how long the data will be held for.

If the data controller has determined that it is not appropriate to engage with the parent, the response should explain its reasons for reaching that decision.

A DSAR response must always indicate that the requester has a right to request a review of the way in which the DSAR was handled, after which they have a right to complain to the Information Commissioner’s Office (the UK data regulator).

Step 4: Record keeping

Remember, data controllers are under a statutory obligation under the GDPR not to disclose a child’s personal data unless there is a lawful basis for doing so. Therefore, the data controller should keep a careful record of its decision to disclose or withhold the personal data requested, in the event that either the parent or the child complains about the way in which this request is handled.